View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0005974unrealircdpublic2021-09-19 18:032022-05-14 19:48
Reporterarmyn Assigned Tosyzop  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.2.1.1 
Fixed in Version6.0.4-rc1 
Summary0005974: Problem that I can not understand on the "security-groups"
DescriptionIn my configuration I have this:

===================
set {

    /* Protections anti-flood */
        anti-flood {
                /* These limits apply to all users,
                 * Only these 4 settings belong here (and only here):
                 */
                everyone {
                        connect-flood 15:20;
                        handshake-data-flood {
                                amount 4k;
                                ban-action zline;
                                ban-time 1m;
                        }
                        target-flood {
                                channel-privmsg 45:5;
                                channel-notice 15:5;
                                channel-tagmsg 15:5;
                                private-privmsg 30:5;
                                private-notice 25:5;
                                private-tagmsg 30:5;
                        }
                }

               /* These are the "known users" who (if you use default
                 * security group settings) are: registered users
                 * who are identified to services, OR have been connected
                 * to UnrealIRCd for longer than 2 hours.
                 */
                applet-identified {
                        nick-flood 3:60;
                        join-flood 7:60;
                        away-flood 20:60;
                        invite-flood 4:60;
                        knock-flood 4:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }

                /* Everyone who is not in the known-users group.
                 * These users have lower limits:
                 */
                applet-noidentified {
                        nick-flood 2:60;
                        join-flood 4:60;
                        away-flood 30:120;
                        invite-flood 2:60;
                        knock-flood 2:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }
                
                /* These are the "known users" who (if you use default
                 * security group settings) are: registered users
                 * who are identified to services, OR have been connected
                 * to UnrealIRCd for longer than 2 hours.
                 */
                known-users {
                        nick-flood 3:60;
                        join-flood 7:60;
                        away-flood 20:60;
                        invite-flood 4:60;
                        knock-flood 4:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }

                /* Everyone who is not in the known-users group.
                 * These users have lower limits:
                 */
                unknown-users {
                        nick-flood 2:60;
                        join-flood 4:60;
                        away-flood 30:120;
                        invite-flood 2:60;
                        knock-flood 2:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }
                

        }

        
};




security-group users-1 {
        identified no;
        webirc yes;
        reputation-score 3;
}

security-group applet-identified {
        identified yes;
        webirc yes;
}

security-group applet-noidentified {
        identified no;
        webirc yes;
}

===================

Here is a client connecting:

[17:44:15] -irc.d.com- *** Client connecting: tixxx ([email protected]) [90.1xxxxx] [class: clients] [secure: TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384] [account: tixxx] [reputation: 207] [security-groups: known-users,applet-noidentified,applet-identified,users-1,webirc-users,tls-and-known-users,tls-users]

You have to look instead here:
[security-groups: known-users,applet-noidentified,applet-identified,users-1,webirc-users,tls-and-known-users,tls-users]
It is not normal for "known-users" to show here, as normally it should be ignored just like applet-noidentified it shouldn't show either.

The exact configuration of the "tixxx" client is actually this:
- Connection by SASL (sasl identification)
- It is connected by WEBIRC
- Tixxx is successfully identified by SASL

It should display this:
[security-groups: applet-identified,users-1,webirc-users,tls-and-known-users,tls-users]
but it is not.

As a result, Tixxx is still considered a "known-users" and not like a "applet-identified"

Where could the problem come from?

Cdt
TagsNo tags attached.
3rd party modules

Activities

syzop

2021-09-19 18:39

administrator   ~0022119

Last edited: 2021-09-19 18:40

 From https://www.unrealircd.org/docs/Security-group_block:
* identified: if set to yes, then if the user is identified to Services then it is considered a match.
* webirc: if set to yes, then if the user comes from a WEBIRC gateway then it is considered a match.
* tls: if set to yes, then if the user is using a SSL/TLS connection then it is considered a match.
* reputation-score: if set, then if the user has a reputation score of this value or higher, it is considered a match.
* include-mask: if a mask item matches, then the security group is considered a match. (UnrealIRCd 5.2.1 or later)
Any items set to no mean the check will be skipped. Any items set to yes that are true mean the security group matches the user (only 1 item that is set to yes needs to match).

So two important things:
* These are all "OR" matches, so any "yes" means it matched, and we stop looking at other options
* A "no" has no meaning. The only reason "no" exists is so you can override a "yes" from a default security group such as known-users.

armyn

2021-09-21 17:17

reporter   ~0022120

I replaced everything with:

set {

    /* Protections anti-flood */
        anti-flood {
                /* These limits apply to all users,
                 * Only these 4 settings belong here (and only here):
                 */
                everyone {
                        connect-flood 15:20;
                        handshake-data-flood {
                                amount 4k;
                                ban-action zline;
                                ban-time 1m;
                        }
                        target-flood {
                                channel-privmsg 45:5;
                                channel-notice 15:5;
                                channel-tagmsg 15:5;
                                private-privmsg 30:5;
                                private-notice 25:5;
                                private-tagmsg 30:5;
                        }
                }


                /* These are the "known users" who (if you use default
                 * security group settings) are: registered users
                 * who are identified to services, OR have been connected
                 * to UnrealIRCd for longer than 2 hours.
                 */
                known-users {
                        nick-flood 3:60;
                        join-flood 8:60;
                        away-flood 25:60;
                        invite-flood 4:60;
                        knock-flood 4:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }

                /* Everyone who is not in the known-users group.
                 * These users have lower limits:
                 */
                unknown-users {
                        nick-flood 2:60;
                        join-flood 4:60;
                        away-flood 30:120;
                        invite-flood 2:60;
                        knock-flood 2:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }
                

        }

        
};

it's much better,
I took out all the rest

syzop

2022-05-14 19:48

administrator   ~0022485

Seems to be solved.

Also, I enhanced the https://www.unrealircd.org/docs/Security-group_block a lot with last few commits (will be in 6.0.4).
You can select on things, and then exclude other things etc.
See https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#unrealircd-604-git

Issue History

Date Modified Username Field Change
2021-09-19 18:03 armyn New Issue
2021-09-19 18:39 syzop Note Added: 0022119
2021-09-19 18:39 syzop Note Edited: 0022119
2021-09-19 18:40 syzop Note Edited: 0022119
2021-09-21 17:17 armyn Note Added: 0022120
2022-05-14 19:48 syzop Assigned To => syzop
2022-05-14 19:48 syzop Status new => resolved
2022-05-14 19:48 syzop Resolution open => fixed
2022-05-14 19:48 syzop Fixed in Version => 6.0.4-rc1
2022-05-14 19:48 syzop Note Added: 0022485